Schneier on Security

Bruce, shouldn't the last paragraph not be indented?

As a Virginia resident, this surprises me not at all. The VA DMV, despite their insistence on fifty different forms of government-issued ID before they will even consider issuing a license or non-driver's ID, managed to MISSPELL MY NAME on their newly-issued one.

I didn't notice until I was out of the building, because who thinks the DMV is going to misspell your name? I am still misspelled on the voter rolls, though I did get the ID fixed (after another four-hour wait in line, another 'feature' of VA DMV 'service').

They are incompetent. They have not become any less so.

@ Nils, yes the blockquote tag hasn't been closed properly after "Thanks, guys."

great blog, btw. :)

Do they at least take away the old licenses when they issue new ones, or do these guys now have a collection?

The lady who took ID photos at my high school would let you make ridiculous faces for the second photo. If you begged and she was in a good mood, she'd let you keep the second ID with the funny photo.

I had never really thought about how astonishingly bad for security that ID card camera system was. You sat in front of it, they took two pictures, and a polaroid picture with two IDs on it was printed. You picked the one you wanted, it was laminated, and the other was thrown away. Or not.

And yes, this was in Virginia. (in the 80s.)

Blockquote problem fixed. Thank you.

"Do they at least take away the old licenses when they issue new ones, or do these guys now have a collection?"

Funny thing about the VA DMV. If you come in in person to renew your license or change your address, they require you to surrender your current license. However! If you renew/change address/claim-you-lost-your-license online, they mail out a new/updated one in a few days.

mmm ... we learned a couple of weeks ago that the DHS does not like having poor security publicised (re: we based boarding pass generator).

It will be interesting to see their reaction toward the pranksters.

Why is this a big deal? The photo is a method of ID. Maybe I ALWAYS drive my car dressed that way. If I don't, then when stopped (or purchasing something requiring a picture id) I get told "that's not you" followed by either "put it back" or "step out of the car". After I tire of being locked up every time I get stopped, I return to the DMV and PAY to get a replacement license. In some part of the world, this could be an educational experience. In the US it becomes a political experience.

Yes it is more expensive that way but fines etc, can be used to recoup the costs while educating the public about the 'bad idea' of screwing with security photos.

And YES it is easier to ask at the DMV "do you REALLY want to look that stupid on the photo". However, it is also possible to get someone truly honked off if you ask the question and they AREN'T screwing about (where do you draw the line, is the average clerk the guy you want deciding).

Bottom line, is it 'your' job to take the security photo seriously or the clerk's job to resolve vague issues of what is acceptable appearance?

grayputer, the absurdity is not that the photo taker didn't do his or her job, but that our drivers license is used as the most important means of identifying who we are to the "authorities"

My job requires looking at a lot of IDs.

People would be amazed, if only they knew how often I run into bad photos, misspellings of names and addresses, you name it. The good news is that the photos are now kept digitally. Thumbprints are becoming more common, too.

Social engineering works on DMV clerks just like it works on everyone else. The rest is left to the reader's imagination at their own (and serious) risk.

My British railpass application was denied in the early 90s because I was smiling in my picture. I came back with a picture of me sticking my tongue out, but that seemed to really annoy the staff. I tried to point out that the photos never really look like me anyway, and I was going to try a wig, but I eventually just succumbed to the humorlessness of carded train travel in England.

Interesting to note that to get a passport you can use a credit card and a friend to prove your identity. I never tried that angle:

http://travel.state.gov/passport/get/first/...

"1. Some signature documents, not acceptable alone as ID

(ex: a combination of documents, such as your Social Security card, credit card, bank card, library card, etc.)

AND

2. A person who can vouch for you. He/she must
* Have known you for at least 2 years,
* Be a U.S. citizen or permanent resident,
* Have valid ID, and
* Fill out a Form DS-71 in the presence of a passport agent."

And oddly enough, Form DS-71 doesn't require your friend to have a passport either...

http://travel.state.gov/pdf/DS-0071.pdf

For what it is worth, the Richmond Times Dispatch Web sites has an article about the disguise stunt at http://www.richmondtimesdispatch.com/servlet/...

One particularly interesting item in the RTD news story is this:
"Because of the video, a new policy could make it more difficult for people to obtain a reissued Virginia license. It could also get harder for those with a facial alteration or disfigurement to obtain an ID, [VA DMV spokesman Bill] Foy said."

A new policy yet to be developed?

@Joe

I think his point, and I totally agree, was just that this doesn't cause a lapse in security, at all. It's pretty much the equivelent of giving these guys invalid IDs. Unless they're dressed in the same manner as the ID, it won't fly under any sort of scrutiny whatsoever.

I mean, certainly if you could get an ID that looked like someone else, then you'd have a problem. However, that would require some decent makeup and if it's done right it wouldn't raise alarms anyways.

My driver's license still says I'm 220 lbs when I'm a little less than 120, and have always been. Nobody checks what you put on the application. Blonde versus brunette, brown eyes versus blue eyes: all over this is a sorry joke.

Sorry I don't see what the big deal is about having a license with a picture on it that doesn't look like you...if you could get your picture on someone else's license, that is one thing. But these licenses are useless to these guys, it's not like having a stupid picture on them means they'll be able to commit crimes or anything.

That's nothing. In Michigan, you don't need anything in the way of ID to get a State ID, Drivers License, or apparently, a SSN. All you need is an address - no proof that you live at that address whatsoever. You can literally scribble a name and address down on a piece of paper, and get a driver's license and SSN. I personally know people who have done just that.

At North Carolina State University in the fall of 1992, I was my fraternity chapter's secretary. I kept the fraternity seal. One day two under-21 brothers came to me asking me to place the seal on two forged Wisconsin birth certificates they'd made with some desktop publishing software. (Why they chose Wisconsin, I don't know) This was 1992, remember. I told them that the seal did not say "State of Wisconsin" but did in fact say "[Redacted] Chapter of [Redacted Redacted Redacted]" They asked me to crimp it lightly. These two guys then went off to the N.C. DMV and got official state identification (not licenses) saying they were over 21. One brother's license said, naturally, BENJAMIN DOVER. The second brother's was ROSS P. DOVER. To this day I don't get the joke made by the second name. But anyway, they had bulletproof fake IDs, because they were the real thing.

Mark,
What good does a photo on an ID do if, when people are checking the ID, they can't rely on the photo being an accurate representation of the person they are authenticating?
Or, if such gross misrepresentations are accepted by (one assumes) people trained and vested with creating IDs, what's to keep someone from assuming a handy disguise for an accomplice?
Or, well, IDs are used for authentication. If they are not accurate and trusted, they are nothing.

My husband has an Arizona license. It's good until he's 65 (he's 36 now). Somehow, I don't think he is going to resemble the photo on his ID in 2035.

Wow, speaking of using pictures for identification, have you read the story about the communications director for U.S. Representative Denny Rehberg (R-MT)?

I hate to give away the punchline, but you have to read this to believe it:

http://www.talkingpointsmemo.com/archives/...

"The 'hackers' ask for pictures of the campus with squirrels and pigeons to make sure he's 'legit'. He says he doesn't live near campus anymore. Remember, he lives in DC, not Texas. So they tell him any picture of a pigeon or squirrel will do."

I mean what more proof of legitimacy do you need other than a picture of a pigeon or squirrel?

The email thread is simply amazing. I hope to see dramatic interpretations of this whole thing in online video format any day now:

http://www.attrition.org/postal/z/033/0871.html

"...let's be clear. You are soliciting me to break the law and hack into a computer across state lines. That is a federal offense and multiple felonies. Obviously I can't trust anyone and everyone that mails such a request, you might be an FBI agent, right?

So, I need three things to make this happen:

1. A picture of a squirrel or pigeon on your campus. One close-up, one with background that shows buildings, a sign, or something to indicate you are standing on the campus."

ROFL!

Actually, the squirrel requirement was somewhat explained!

"Main thing is to prove to a degree who you are,
that you can do something unique and quickly, etc."

My translation: "Yes, I'm deliberately asking you to do something nonsensical to see how committed you are".

The next message shows that Todd understood it that way too:

"Is there some other sign of trust I can extend
to you or should I wait a few weeks and travel to my school and get these pictures?"

So, in his shoes, I would not find it odd that a deliberately nonsensical request did not, in fact, make sense :)

@ Richard

Interesting perspective. Could you take a photo of a squirrel or a carrier pigeon to prove to us who you are and back up how committed you are to your statement?

Snow globe prohibitions make a lot more sense than some of the other ones. Snow globes can't be opened non-destructively to check on the contents. Of course, why it is ok to put them in checked baggage if they are so dangerous is beyond me.

"Snow globe prohibitions make a lot more sense than some of the other ones. Snow globes can't be opened non-destructively to check on the contents. Of course, why it is ok to put them in checked baggage if they are so dangerous is beyond me."

The trick is not to think about this stuff too much. Otherwise none of it really makes sense.

This is not the real issue, which is that "driver licenses" are civil contracts, which by definition must be voluntary, without extortion, threats nor duress. US Constitution guarantees the Natural Right to travel without paying a travel tax, and without fear from Police State Death Squads. Tennessee DMV/THP sold driver licenses to 250,000 illegal alien criminals after 9/11, so far, as do other states. Police are not allowed to arrest illegal aliens during traffic stops, preferring to profit from traffic tickets. The borders are wide open, with 10,000 criminal invaders every day, 40-million so far, 200-million on the way. US Dept of Homeland Security is directed by a current citizen of Israel, and an Israeli contractor will be in charge of the video cameras watching only a tiny portion of the border, which has no wall. US soldiers are not allowed to defend the US borders, and were not allowed to defend USA on 9/11/2001. The 6th Plank of the Communist Manifesto is "govt control of communications and transportation". These are the REAL issues.

@Davi

This one was taken by my wife, is that ok?

http://www.flickr.com/photos/lynoure/59488185/

The nuts are natural ones from this area, you can do a DNA analysis.

Since this is a squirrel with a nut, it is clearly a "1" squirrel and not a "0" squirrel (for the purpose of Internet protocols).

I would like to subscribe to your newsletter.

The ID schemes, virtually all of them, it's called tyranny, people. The US citizen is a sovereign, free individual who does not need permission to travel. You use these licenses out of convenience and fear. Does licensing not offend anyone else here?

@ Pirate News TV

General Ripper is that you? Have you moved on from film to TV? I aways wondered where you went after that famous last stand:

http://www.filmsite.org/drst2.html

"I can no longer sit back and allow Communist infiltration, Communist indoctrination, Communist subversion, and the international Communist conspiracy to sap and impurify all of our precious bodily fluids."

Are we in condition red yet? Is it time for Plan S?

It had always been my understanding that I could be arrested for not producing ID when requested from an officer of the law. I had never questioned this assumption until recently reading the Constitution and Bill of Rights. Now I question every tax imposed on me by the state.

DMV is a joke is most states so is the SS administration:
Consider the following:
================
Half Cover Will Travel
By
Randle Flagg

This opinion article is submitted to be distributed freely and to generate opinions.

When is the government or better yet intelligence agencies going to get serious about cover for its employees? Now I know people might say, before 911 they had not a clue, well I am here to say in my opinion, after 911 they still are not doing enough. That is until someone proves me wrong. The CIA and others have recently told potential applicants not to tell anyone if possible of their intentions of applying as it might make it hard for them to do cover work.

The role of cover as defined is :To protect by contrivance or expedient, to hide from sight or knowledge. Let us take a for instance.

When a Person ( Bob) applies for a job at the National Security Agency or Central Intelligence Agency, Defense Intelligence Agency, Federal Bureau of Investigation or any of the others, that is considered of national security, it is usually done through several ways. First through the agency website. Now if I do not want anyone to know that I am going to apply there, how do I know that my connection is safe. For argument sake, I apply through my home computer, which uses a Internet connection supplied by the wonderfully fast XYZ Inc. Which is a USA owned company. Now I have been surfing, find the agency website and apply. Everything up to the point when I apply is open for my provider, XYZ to see. Unless I use a secure connection or anonymizer, but do we really think the government would let exist such communications without being able to monitor, ya right. For argument sake lets say XYZ is a growing company with billions of dollars, and in need of many people to handle administration to networks , router, switches and customer accounts. I am joe hiring manager and I need 100 service reps to handle customer accounts and phone issues. I need another 100 to handle the telecoms infrastructure and I need another 100 for software programming. XYZ is a consciousness company and is concerned about getting the right people hired and for argument sake they only advertise to hire US citizens. As joe hiring manager I am super busy and rely on my crack Human Resource team to vet all employees. Human Resources, has the best software and does online background checks on theses employees and all 300 pass muster. WOW, Human Resources must be really good and they did a background check, meaning they looked back 5 maybe 10 years on a credit report. Red Flag! Also, they did not call references or run names through FBI as they were too busy thinking of their next move to get Human Resources elevated to a boardroom seat and the FBI does not have the people to handle running names for every corporate company, even though it is only 300 people that XYZ has in their entire company. So now as joe hiring manager I have 300 people composed of Asian, Indian, American, Muslim, and other assorted people who are god loving USA loving patriots and I have nothing to worry about, WRONG.

Whats wrong with this picture? The fact is that XYZ has 80,000 employees not 300 and is that no where in this chain can a company total guard against the potential wrong doing insider or foreign intelligence service. Worse yet, lets figure that of the 80,000 only 10 are bad folks and of that 10 only 5 are supplanted by a foreign country to gather Intel. Yes I said supplanted! Do you think for one second that foreign Intel services have not instructed their students going to college here in the USA for 10 years or more to assimilate, become one and then suck us dry. The fact is the FBI has said publicly that just china alone has over 3000 front businesses, never mind the tens of thousands of students. Foreign intelligence tells their people to go to the USA and set up a life, get a house, marry, join the local clubs, establish a credit history and perhaps a SS#. Oh did I mentioned that my crack Human Resources department ran social security numbers and none came back as bad. Why, because the system is broke and the social security administration cannot verify a foreign intelligence agent because they have been here for 10 years and got a number the legal way!

Do you think for one second that foreign intelligence services would rather milk our USA companies for intelligence rather then try to plant spies inside the intelligence agencies themselves as it is way to hard and the failure rate would be cost prohibitive, but I am sure they point a few of them that way for yucks. Now back to our bright, well educated person,Bob who has looked up every grain of sand on his next employer, with his XYZ connection -in this case the intelligence agencies and he has applied.The spie / wrong doing insider in XYZ inc is an admin and looks for people searching and applying to intel agencies. That might be a nice piece of info combined with their IP address, account on XYZ , where they live, what restaurants they like to research and eat at ( nice for a bump into meeting),who they email, what school they go to or current job, who they write love letters to - behind their spouses back, what porn they surf, what electronics they buy and might have in their house--( don't think for one minute that foreign Intel services are not capable of engineering a micro camera and or recording devices into your house, TV , stereo, alarm system or whatever. If they know you are going to work for any Intel outfit or area of interest, they wil find a way to either monitor you or meet you. Just because USA Intel does it does not mean they are the only game in town. The point is, Bob's cover is blown before he even starts. Another point, What about Bob's neighbors, are they hacking him by WiFi??

Let us go one step further; Bob uses a secure connection to surf and apply, he gets a interview and a letter is sent from the agency which he applied to his address at home or at the 600 unit apartment building he rents at and bang, the postal guy accidentally puts Bobs interview letter/ form that the agency sent into his neighbors box. His neighbor, might be someone he knows, does not know, is a blabber mouth, or just happens to be someone who is a collector of information and sees who it is from and it now ends up on the Internet or makes note of it or does not even give the letter to Bob and reads it himself (Numan) so much for Bob's cover. Lets say Bob has made it through the tests for the job and now has to have a background investigation. This now means that Bob, has to have at leasts 8 people he knows, now know he is doing something a little out of the ordinary and the background investigator is going to knock on his neighbors doors who might be foreign Intel or blabber mouths or gossip kings and queens at their local country club. red flag. Even if the investigator tells all these people he works for the local consulting company and is just checking references, he still has to ask the questions on the SF86 and others that totally blow any covertness.

Moving on,now lets say Bob has not had a breach of security though the interview and is hired. He has to have direct deposit to his Bank, Bank of The United States and they only have 1000 employees ya right make that 200,000 and operate in several countries and/or share personal information for marketing purposes with companies that are of suspect origin. red flag! forget that last foepa! Bob is under cover working for a Intel agency, what shows up in his bank statements??? I bet it has something to do with the government, red flag! What about his health insurance he has through the government, surely company INTEL agency has it under control. What does it look like when half his premium gets paid by a government entity? red flag! What about the life insurance, long term care, professional liability insurance; which many Intel folks buy to CYA, but who is CYAing them and the company? So all these red flags, and lets say for argument sake he has not been found out. Wait a minute Bob gets sick and goes to the hospital and presents his health insurance card, the admission person see this and says, oh you work for the government, my friend I know has the same insurance and works for the intelligence agencies. red flag! Or one of Bob's family members has to use health ins or other covered service,if Bob had a family, were they given instructions on how to present themselves or will his wife Alice, blab about it the work? red flag.

How about this; one day Bob is mowing his lawn and sees his neighbor,our man Flynn,who starts talking to him and asks, hey Bob, what do you do for a living, ( Bob replies ) oh I work for the DOD, wrong answer. red flag. I work for a consulting company,XYZ, wrong answer, red flag,a lie that now must have to be proven true, you see our man Flynn is in the Intel business ( forigen ) and knows already that several of the neighbors are consultants but really work for NSA,CIA etc.. You see Bob, was never given a ( Non Official Cover and story ) to aid him or never told not to tell anyone or trained in rehearsing the company line. In addition to Bobs latest foepa, Bob has been going to many meetings in the government sector, and private sector as a scientist and putting down his real name, agency email address and agency address on all the sign-in sheets, Bad Bob. He also was never given a cover name, because, well the agency did not think he needed it or it is to expensive to think up one with a cover story. Bob is FU&*ed throughout this entire process.

OK, I know you might be saying , your crazy , paranoid, ma sugar, bats in the belfry. Reverting back to the XYZ example, lets forget that it was a USA owned Internet company. How about a French owned telecoms or perhaps a china telecoms or how about Print, Herizon, Xtel ( Not there real names but sound like) get the picture. There are many companies both USA owned and foreign owned that have connections / business in the USA that Bob is F*c*ed before he even wakes up. Any company that thinks it can compartmentalize like a intelligence agency and still say they operate like a public business and can assure you that your privacy is safe, can now get up and leave the room single file. Lets take another example, I am a Intel officer of a foreign company outside the USA but surfing with Google. I plug the following inquiry for the email domain in:XYZ.gov
Dam that returns Bob's email address and a leads right to a Intel agency along with all the other agencies Bob has been emailing, thus the names of people who might have thought they wanted to work under cover at one time but have been compromised and did not even know it. What if I only want excel spreadsheets,word docs, PDF's! That brings up meetings with all kinds of folks emails and affiliations

How about the other USA Intel domains. What about a search on the Intel agencies name plus Resume. I suspect folks who list there resume online and work history's at the government places mentioned are asking for foreign Intel to make a note so next time they travel on vacation to an overseas location, our man Flynn or one of his brothers will be on your left!

Just imagine how many people in the security-industrial complex would love for Randle Flagg and Pirate Flag TV to be the public face of concern over security theatre and creeping government power.

Bruce,
Interesting that they would allow pranksters to have their photographs taken in disguise. Here in St. Louis, MO, we cannot get them to take photographs of Transgender women with a male indicator on the ID. Transgender males (female to male) are seemingly fine.
How many other DMVs subscribe to this model?
Sabine W.
St. Louis, MO

Let me address this as a native of Virginia. While any idiot can walk in and get a liscence, the incompetent DMV office has given me hell about the birth certificate that was issued for my son who was born in the state of Florida 17 years ago. Even though one of the clerks was from Florida and vouched for it, the idiot supervisor would not accept it because it was laminated. They need to tell these people to use common sense with these isssues. Oh wait, this is government that I am talking about-nothing they do ever makes sense.

After just having to deal with Virginia's DMV yet, once again (4 times in 1 week). I was finally able to get my car registered successfully BUT!!! my son who is 32 years old, a United States resident, born and raised, STILL can't get his license here in good old Virginia. He moved here back in July 06 and has been trying to get it ever since then. They have him jumping through hoops!!! Now, the latest is he must get his driving record from New Jersey. Each time we go back to DMV, they have him jump through more hoops. It's literally, a continual non stop and never ending saga of; now he needs this or now he needs that. He has every piece of idendification, PLUS, that people need to get their license. Yet, we have made over 2 dozen trips to DMV, waiting in lines that go out the door, no less, just to hear that he needs something else!!! Someone seriously needs to take an in depth look at Va. DMV policies. This is totally insane! So, now, after playing their games for 6 months already, they had another surprise/hoop for us. Now, we have to wait for New Jersey to get their collective butts in gear, print out his driving records/extract, then we have to wait to recieve it, THEN wait in line at DMV AGAIN!!!!! You want to talk about fed up?! Illegal immigrants walk in and out of DMV with a license, yet a man born and raised here can't??? How great is this country? (sarcastically meant of course) Talk about an outrage!!! Yet, there is nothing we can do but continue to play their games, in hopes of a positive outcome on our next visit to DMV. What a joke, unfortunately, the joke is on American citizens.

I've said for years that the head of the DMV (wherever you are) should be an elected official, that way some accountability can be instilled into the office. In the past, it was due to enraging experiences at DMV offices, or the issuance of parking tickets as a revenue source. Increasingly, my reasoning has turned to security, as more and more stories like this come to light.

Will making the head of every state+DC's DMV fix the problems? No, but at least there will be consequences for poorly-implemented or run systems.

Here's how my brother and I "hacked" a similar process at the Virginia DMV about 20 years ago:

1) I was legal drinking age and my brother was not, and wanted a fake ID.
2) I went to the Virginia DMV and claimed to have lost my license, and filled out the form for a new one, providing some other ID in the process.
3) When they called me to take my picture, my brother walked up for the photo (there was no check that the applicant and the person photographed were the same).

My brother had a great "fake" ID (legally issued by the government) that he used for a few years.

VA. DMV is nothing more than a bunch of Highway bandits.
They are interested primarly in harrasment of Licensed VA. Drivers by reason of the unconstitional proof of Insurance scam.
This is clearly search without cause, nowhere did anyone sign away this right.

PROTEST, Call and write You're senator
demand VA. DMV Reforms.

This is not what America is supposed to be.